[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability

To: users@xxxxxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability
From: Brett Porter <brett@xxxxxxxxxx>
Date: Fri, 11 Feb 2011 01:19:40 +1100

CVE-2011-0533: Apache Continuum cross-site scripting vulnerability

Severity: Important

Vendor: 
The Apache Software Foundation

Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.

Description:
A request that included a specially crafted request parameter could be
used to inject arbitrary HTML or Javascript into Continuum project
pages.

Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7

Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066056

Credit:
This issue was discovered by Tal Be'ery of Imperva.

References:
http://continuum.apache.org/security.html

--
Brett Porter
brett@xxxxxxxxxx
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
Next by Date: Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)
Previous by thread: [Full-disclosure] [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC
Next by thread: [Full-disclosure] [SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability
Index(es):
- Date
- Thread